Reference: Anti-malware settings
When you create an Anti-Malware policy, you can add settings to control the user experience. These settings apply to both System Center Endpoint Protection (SCEP) and Windows Defender Antivirus unless they are labeled (SCEP only) or (Defender only).
Client Interface
Display additional text to clients when they need to perform an action
Set a custom message to display to users when they need to perform an action. The string must be less than 1024 characters.
Example: Contact our company help desk at 555-1212 for more help.
Display notifications to clients when they need to perform actions
Configure whether to display notifications to users when they need to perform an action.
Enable or do not configure this setting to display notifications to users when they need to perform an action.
Disable this setting to prevent notifications from being displayed to users.
Enable headless UI mode
Configure whether the Windows anti-malware user interface displays to users.
Enable this setting to hide the Windows anti-malware user interface from users.
Disable or do not configure this setting to show the Windows anti-malware user interface to users.
Suppresses reboot notifications
Configure whether reboot notifications display to users.
Enable this setting to suppress reboot notifications.
Disable or do not configure this setting to display reboot notifications to users.
Exclusions
Extension Exclusions
Specify file extensions to exclude from scanning.
Example: obj
IP address range Exclusions
Specify IP addresses to exclude from network scanning.
Example: 157.1.45.123-60.1.1.1
Path Exclusions
Specify file paths to exclude from scanning.
Example: C:\Program Files
Port number Exclusions
Specify TCP ports to exclude from network scanning.
Example: 17472
Process Exclusions
Specify a path to a process to exclude all files opened by that process from scanning. Each value must be a full path to a process. The process itself is still scanned.
Example: C:\Windows\Program.exe
Process Exclusions for outbound traffic
Specify a path to a process to exclude outbound traffic from that process from network scanning.
Example: C:\Windows\Program.exe
Threat ID Exclusions
Exclude specific threats from network scanning.
Example: 2925110632
Turn off Auto Exclusions (Defender Only)
Turn Automatic Exclusions on or off.
Enable this setting to turn off Automatic Exclusions.
Disable or do not configure this setting to turn on Automatic Exclusions.
MAPS
Configure local setting override for reporting to MAPS
Allow the local preference for joining the Microsoft Active Protection Service to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Join MAPS
Join the Microsoft Active Protection Service. Possible values are:
- Disabled
- Basic MAPS
- Advanced MAPS
Send file samples when further analysis is required
Configure how samples are sent to the Microsoft Active Protection Service. Possible values are:
- Always prompt
- Send safe samples
- Never send
- Send all samples
Network Inspection System
Define the rate of detection events for logging
Control the time interval in minutes for logging of detection events. Each event is logged at most once per time interval.
Default value: 60
Specify additional definition sets for network traffic inspection
Specify additional definition sets to enable for network scanning. Each value must be a GUID of a definition set to enable.
Example: {b54b6ac9-a737-498e-9120-6616ad3bf590}
Turn on definition retirement
Control whether known network vulnerabilities are scanned for after they are patched.
Enable or do not configure this setting to stop checking for network vulnerabilities after they are patched.
Disable this setting to always check for known network vulnerabilities.
Turn on protocol recognition
Control whether network protocol recognition is used to protect against attacks from known vulnerabilities.
Enable or do not configure this setting to enable network protocol recognition.
Disable this setting to disable network protocol recognition.
Quarantine
Configure local setting override for the removal of items from Quarantine folder
Allow the local preference for the number of days to keep items in the quarantine folder to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure removal of items from Quarantine folder
Define the number of days that items are kept in the quarantine folder before they are removed. By default, items remain in the quarantine folder indefinitely.
Example: 30
Real-time Protection
Configure local setting override for monitoring file and program activity on your computer
Allow the local preference for file and program activity to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for monitoring for incoming and outgoing file activity
Allow the local preference for monitoring of incoming and outgoing file activity to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for scanning all downloaded files and attachments
Allow the local preference for scanning downloaded files and attachments to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for turn on behavior monitoring
Allow the local preference for behavior monitoring to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for turn on script scanning (SCEP Only)
Allow the local preference for script scanning to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override to turn off Intrusion Prevention System
Allow the local preference for network scanning to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override to turn on real-time protection
Allow the local preference for turning on real-time protection to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure monitoring for incoming and outgoing file and program activity
Configure whether incoming or outgoing files are scanned. On servers with heavy network traffic, disabling scanning for a particular direction can help to achieve optimal network performance. This setting is applicable only to NTFS volumes.
Define the maximum size of downloaded files and attachments to be scanned
Configure the maximum size of downloaded files and attachments to scan. The value is the maximum file size in kilobytes.
Example: 524288
Monitor file and program activity on your computer
Configure monitoring of file and program activity.
Enable or do not configure this setting to turn on monitoring of file and program activity.
Disable this setting to turn off monitoring of file and program activity.
Scan all downloaded files and attachments
Configure scanning of downloaded files and attachments.
Enable or do not configure this setting to scan all downloaded files and attachments.
Disable this setting to turn off scanning of downloaded files and attachments.
Turn off real-time protection
Configure whether users are prompted when known malware is detected.
Enable this setting to never prompt users to take action when malware is detected.
Disable or do not configure this setting to prompt users to take action when malware is detected.
Turn on behavior monitoring
Turn behavior monitoring on or off.
Enable or do not configure this setting to enable behavior monitoring.
Disable this setting to enable behavior monitoring.
Turn on Information Protection Control
Turn Information Protection Control on or off.
Enable this setting to turn on Information Protection Control.
Disable or do not configure this setting to turn off Information Protection Control.
Turn on network protection against exploits of known vulnerabilities
Configure network protection from known vulnerabilities.
Enable or do not configure this setting to turn on network protection.
Disable this setting to turn off network protection.
Turn on process scanning whenever real-time protection is enabled
Configure whether all processes are scanned when real-time protection is first turned on. This scan can detect malware that starts when real-time protection is off.
Enable or do not configure this setting to start a process scan when real-time protection is turned on.
Disable this setting to not start a process scan when real-time protection is turned on.
Turn on raw volume write notifications
Configure notifications of raw volume writes.
Enable or do not configure this setting to turn on raw write notifications.
Disable this setting to turn off raw write notifications.
Turn on script scanning (SCEP Only)
Configure script scanning.
Enable or do not configure this setting to enable script scanning.
Disable this setting to disable script scanning.
Remediation
Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Allow the local preference for the scheduled scan time to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Specify the day of the week to run a scheduled full scan to complete remediation
Schedule the day of the week to perform a full scan.
Specify the time of day to run a scheduled full scan to complete remediation
Specify the time of day to perform a full scan. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.
Example: 180
Reporting
Configure time out for detections in critically failed state
Set the time in minutes for a "critically failed" detection to move to "additional action" or be "cleared."
Example: 7200
Configure time out for detections in non-critical failed state
Set the time in minutes to "clear" a "non-critically failed" detection.
Example: 7200
Configure time out for detections in recently remediated state
Sets the time in minutes to "clear" a "completed" detection.
Example: 7200
Configure time out for detections requiring additional action
Set the time in minutes to "clear" an "additional action."
Example: 7200
Configure Watson events (SCEP Only)
Use this policy setting to configure whether or not Watson events are sent. This value has been deprecated as of the February 2015 anti-malware platform update. For more information, see Microsoft: February 2015 anti-malware platform update for Endpoint Protection clients.
Configure Windows software trace preprocessor components
Configure the Windows software trace preprocessor.
Configure WPP tracing level
Configure tracing levels for the Windows software trace preprocessor (WPP Software Tracing). The allowed values are Error (1), Warning (2), Info (3), or Debug (4).
Example: 1
Scan
Allow users to pause scan
Allow users to pause a scan while it is in progress.
Enable or do not configure this setting to add a new context menu to the task tray icon that allows users to pause a scan.
Disable this setting to prevent users from pausing scans.
Check for the latest virus and spyware definitions before running a scheduled scan
Check for new virus and spyware definitions before running a scan. This setting does not apply to scans started manually from the user interface.
Enable to check for new definitions before running a scan.
Disable or do not configure this setting for scans to use existing definitions.
Configure local setting override for maximum percentage of CPU utilization
Allow the local preference for maximum CPU utilization to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for schedule scan day
Allow the local preference for the scheduled scan day to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for scheduled quick scan time
Allow the local preference for the scheduled quick scan time to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for scheduled scan time
Allow the local preference for the scheduled scan time to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Configure local setting override for the scan type to use for a scheduled scan
Allow the local preference for the scan type to use during a scheduled scan to override the group policy.
Enable this setting for the local preference to have precedence over the group policy.
Disable or do not configure this setting for the group policy to have precedence over the local preference.
Create a system restore point
Configure whether a daily system restore point is created on an endpoint before it is cleaned.
Enable this setting to create a system restore point before cleaning.
Disable or do not configure this setting to prevent a system restore point from being created.
Define the number of days after which a catch-up scan is forced (Defender Only)
Specify the number of consecutive scheduled scans that can be missed until a forced catch-up scan runs.
Example: 2
Default value: 2
Run full scan on mapped network drives
Configure whether mapped network drives are scanned.
Enable this setting to scan mapped network drives.
Disable or do not configure this setting to prevent scanning mapped network drives.
Scan archive files
Configure whether archive files are scanned. Archive files are ZIP or CAB files.
Enable or do not configure this setting to scan archive files.
Disable this setting to prevent scanning archive files.
Scan network files
Configure whether network files are scanned.
Enable this setting to scan network files.
Disable or do not configure this setting to prevent scanning network files.
Scan packed executables
Configure whether packed executables are scanned.
Enable or do not configure this setting to scan packed executables. For best results, use this setting.
Disable this setting to prevent scanning of packed executables.
Scan removable drives
Configure whether removable drives, such as USB flash drives, are scanned when running a full scan.
Enable this setting to scan removable drives during any type of scan.
Disable or do not configure this setting to prevent scanning of removable drives in full scans. Removable drives can still be scanned during quick scans and custom scans.
Specify the interval to run quick scans per day
Configure the quick scan interval in hours. The value 0 means that quick scans are never scheduled.
Example: 24
Default value: 0
Specify the maximum depth to scan archive files
Set the maximum directory depth that archive files are unpacked during scanning. Archive files are ZIP or CAB files.
Example: 1
Default value: 0
Specify the maximum percentage of CPU utilization during a scan
Set the maximum percentage CPU utilization allowed during a scan. Valid percentage values can range from 5 to 50. The value 0 means that there is no limit.
Example: 5
Default value: 50
Specify the maximum size of archive files to be scanned
Set the maximum size of archive files that are scanned. Archive files are ZIP or CAB files. The value is the number of kilobytes. The value 0 means that there is no size limit.
Example: 1048576
Default value: 0
Specify the scan type to use for a scheduled scan
Specify the scan type used during scheduled scans. By default, scheduled scans use quick scans.
Specify the time for a daily quick scan
Specify the time of day when a daily quick scan runs. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.
Example: 180
Default value: 120
Start the scheduled scan only when computer is on but not in use
Set whether scans begin only when the endpoint is idle.
Enable or do not configure this setting to start scans only when the endpoint is idle.
Disable to start scans at the scheduled time.
Turn on catch-up full scan
Configure whether to start a full scan if two consecutive scheduled scans are missed. The full scan starts the next time someone logs in after the scheduled scans are missed.
Enable this setting to turn on catch-up full scans.
Disable or do not configure this setting to turn off catch-up full scans.
Turn on catch-up quick scan
Configure whether to start a quick scan if two consecutive scheduled scans are missed. The quick scan starts the next time someone logs in after the scheduled scans are missed.
Enable this setting to turn on catch-up quick scans.
Disable or do not configure this setting to turn off catch-up quick scans.
Turn on e-mail scanning
Configure whether email and email attachments are scanned.
Enable this setting to turn on email scanning.
Disable or do not configure this setting to turn off email scanning.
Turn on heuristics
Heuristics improve the capability to flag new threats.
Enable or do not configure this setting to turn on heuristics. For best results, use this setting.
Disable this setting to turn off heuristics.
Turn on removal of items from scan history folder
Configure the number of days that items are kept in the scan history folder before being permanently removed. The value 0 means that items are never removed from the history folder.
Example: 7
Default: 30
Turn on reparse point scanning
Configure whether reparse points are scanned. Reparse points are followed to a maximum depth, so a recursive reparse point might slow down scanning, but it does not cause an error.
Enable this setting to scan reparse points.
Disable or do not configure this setting to prevent reparse point scanning.
Signature Updates
Allow definition updates from Microsoft Update
Enable definition updates to be downloaded from Microsoft Update even if Automatic Updates are configured to use a different download source.
Enable this setting to download definition updates from Microsoft Update.
Disable or do not configure this setting to download definition updates from the configured source.
Allow definition updates when running on battery power
Configure whether definitions are updated when an endpoint is running on battery power.
Enable or do not configure this setting to update definitions even when an endpoint is running on battery power.
Disable this setting to turn off definition updates when an endpoint is running on battery power.
Allow notifications to disable definitions based reports to MAPS
Enable receiving notifications from MAPS to disable definitions that are causing false positives. MAPS must be configured on an endpoint to successfully use this functionality.
Enable or do not configure this setting to receive notifications from MAPS to disable definitions that are causing false positives.
Disable this setting to turn off receiving notifications from MAPS to disable definitions.
Allow real-time definition updates based on reports to MAPS
Enable real-time definition updates if MAPS finds that the latest definition update has definitions for a threat involving an unknown file. MAPS must be configured on an endpoint to successfully use this functionality.
Enable or do not configure this setting to enable real-time definition updates.
Disable this setting to turn off real-time definition updates.
Check for the latest virus and spyware definitions on startup
Specify whether definition updates should be checked at service startup.
Enable this setting to check for definition updates at service startup.
Disable or do not configure this setting to prevent checking for definition updates at service startup.
Define file shares for downloading definition updates
Set UNC file shares for downloading definition updates. The file shares are tried in the specified order.
Example: \\corp\updates
Define the number of days after which a catch-up definition update is required
Specify the number of days that can pass before a forced catch-up definition update.
Example: 7
Default value: 1
Define the number of days before spyware definitions are considered out of date
Set the number of days that can pass before spyware definitions are considered out of date.
Example: 7
Default value: 14
Define the number of days before virus definitions are considered out of date
Set the number of days that can pass before virus definitions are considered out of date.
Example: 7
Default value: 14
Define the order of sources for downloading definition updates
Specify the order for definition update sources to be contacted. Possible values are:
- Microsoft Update
- Microsoft Malware Protection Center
- Internal definition update server
- File shares
Initiate definition update on startup
Configure whether definitions are updated on startup when there is no antimalware engine.
Enable or do not configure this setting to enable definition updates on startup when no antimalware engine is present.
Disable this setting to turn off definition updates when no antimalware engine is present.
Specify the day of the week to check for definition updates
Specify the day of the week to check for definition updates. By default, updates are checked every day.
Specify the interval to check for definition updates
Specify the definition update check interval in hours.
Example: 12
Specify the time to check for definition updates
Specify the time of day to check for definition updates. The value is the number of minutes past midnight in the local time for the endpoint to check for definition updates. By default, definition updates are checked 15 minutes before the scheduled scan time.
Example: 120
Turn on scan after signature update
Configure whether a scan should start after a definition update.
Enable or do not configure this setting to start a scan after a definition update.
Disable this setting to not start a scan after a definition update.
System Center Endpoint Protect
Turn on Potentially Unwanted Application (PUA) detection (SCEP Only)
Block PUAs from being downloaded through Internet Explorer, Firefox, and Chrome.
Disable or do not configure this setting to disable improved PUA detection.
Turn on threat file hash logging (SCEP Only)
Determines whether or not the file hash (SHA1) of any detected threat files is recorded in the event log for additional research and correlation with other threat streams. When a threat file is detected and hash logging is enabled, EventID 1120 is recorded in the system log.
Enable this setting for events to be recorded.
Disable or do not configure this setting for threat file hashes to not be recorded to the event log.
Turn on virus definitions (SCEP Only)
Manage virus definitions used during a scan.
Enable or do not configure this setting for virus definitions to be used during scans.
Disable this setting for virus definitions to not be used during scans.
Threats
Specify threat alert levels at which default action should not be taken when detected
Customize the remediation action to take for each threat alert level.
Possible values for threat alert levels are:
- Low
- Medium
- High
- Severe
Possible values for remediation actions are:
- Quarantine
- Remove
- Ignore
Specify threats upon which default action should not be taken when detected
Customize the remediation action to take for each detected Threat ID. Possible values for remediation actions are:
- Quarantine
- Remove
- Ignore
Windows Defender
Allow antimalware service to remain running always
Choose whether the Windows Anti-malware service keeps running when virus and spyware definitions are disabled.
Enable this setting to keep the Windows Anti-malware service running when virus and spyware definitions are disabled.
Disable or do not configure this setting to stop the Windows Anti-malware service when virus and spyware definitions are disabled.
Allow antimalware service to startup with normal priority
Modify the startup priority of the Windows Defender service. This might impact performance.
Enable or do not configure this setting to start the Windows Anti-malware service with normal priority.
Disable this setting to start the Windows Anti-malware service with low priority.
Configure local administrator merge behavior for lists
Control whether local preferences for exclusions and threats are merged with the group policy.
Enable or do not configure this setting to merge local preferences with the group policy. Group policy settings take precedence over local preferences.
Disable this setting to ignore local preferences.
Define addresses to bypass proxy server
Bypass the proxy for a specific IP address. The value must be a valid URL.
Define proxy server for connecting to the network
Configure a proxy to use for downloading definition updates or reporting events to MAPS. By default, the following settings are used in order:
- Internet Explorer proxy settings
- Auto-detect
- None
Randomize scheduled task times
Randomize the start time of scheduled tasks.
Enable or do not configure this setting for scheduled tasks to begin randomly within 30 minutes of their scheduled start time.
Disable this setting for scheduled tasks to begin at their scheduled start time.
Turn off routine remediation
Control whether Windows Anti-malware automatically remediates threats.
Enable this setting to prevent automatic remediation. Instead, users are prompted with a choice of actions to take.
Disable or do not configure this setting to automatically take action on all detected threats.
Turn off Windows Defender
Turn Windows Anti-malware on or off.
Enable this setting to turn off Windows Anti-malware.
Disable or do not configure this setting to turn on Windows Anti-malware.
Last updated: 3/31/2020 8:08 PM | Feedback